One of our customers has the following configuration:
- On the domain controller, there's an SQL Server.
- On his PC (WinXP), he logs on with
LocalPC\LocalUser
. - In Windows Explorer, he opens
DomainController\SomeShare
and authenticates asDomain\Administrator
. - He starts our application, which opens a trusted connection (Windows authentication) to the SQL Server. It works. In SSMS, the connection shows up with the user
Domain\Administrator
.
Firstly, I was surprised that this even works. (My first suspicion was that there is a user with the same name and password in the domain, but there is no user LocalUser
in the domain.)
Then we tried to reproduce the same behaviour on his new PC, but failed:
- On his new PC (Win7), he logs on with
OtherLocalPC\OtherLocalUser
. - In Windows Explorer, he opens
DomainController\SomeShare
and authenticates asDomain\Administrator
. - He starts our application, which opens a trusted connection (Windows authentication) to the SQL Server. It fails with the error message
Login failed for user ''. The user is not associated with a trusted SQL Server connection.
Hence my question: Under which conditions can a non-domain user access a remote SQL Server using Windows Authentication with different credentials? Apparently, it's possible (it works on his old PC), but why? And how can I reproduce it?
Best Answer
As Bernie White mentioned, this is probably due to differences in kerberos configuration.
KerbTray
will work on WinXP,klist
is built in on W7 and above.Barring that, if the problem you are trying to solve is being able to the SQL servier using windows authentication, you can do so by running,
runas /netonly /user:DOMAIN\Administrator application.exe
.The other method I use is to have the user dial-in via VPN, even if they are sitting on the internal network. Doing so causes the network credential to be used for all open applications and has the benefit of allowing SSO for Outlook, SQL Server, LDAP and any other application they can access.